Police blotter: Ex-employee sued for deleting files

Police blotter is a weekly News.com report on the intersection of technology and the law.

What: Pharmaceutical supplier sued former employee, claiming use of a secure file deletion utility violated federal hacking laws.

When: U.S. District Judge Richard Lazzara ruled on March 21.

Outcome: Temporary restraining order granted against ex-employee until court hearing on March 30.

What happened, according to court documents: Until recently, Scott Arledge was a senior vice president at PharMerica in Tampa, Fla., where he was responsible for more than 2,500 employees and oversaw much of the company's day-to-day operations.

On March 9, 2007, Arledge resigned to take a job as a vice president with Omnicare, PharMerica's primary competitor. Both companies are in the business of supplying equipment and supplies to long-term care facilities such as nursing homes and hospitals.

According to PharMerica's version of events, its former employee permanently deleted more than 475 files from his work computer two days before his resignation. That's based on a forensic examination of Arledge's company-issued Windows laptop by E-Hounds, a Florida data recovery firm.

In most operating systems, "deleting" a file removes only references to it in the directory structure but the file's contents can remain on the hard drive until they're eventually overwritten. Utilities like PGP, open-source programs such as Wipe, and a built-in feature in Apple's OS X called Secure Empty Trash can ensure the data has truly vanished.

PharMerica sued. Its complaint claims that Arledge violated the Computer Fraud and Abuse Act, a federal computer crime law, by deleting the files.

The CFAA says whoever "knowingly causes damage without authorization" to a networked computer can face civil and criminal liability. (It was intended to be used to prosecute computer hackers, but Congress did a sloppy job in drafting it.)

This isn't even the first time that the CFAA has been invoked against file-deleting employees. As Police Blotter was the first to report last year, the CFAA was successfully used in a 7th Circuit case against an employee who turned in his work laptop after using a "secure delete" utility.

In the PharMerica v. Arledge case, U.S. District Judge Richard Lazzara granted PharMerica's request for a temporary restraining order against its former employee and required it to post a $10,000 bond. Lazzara reasoned that "Arledge's actions have likely caused damage to PharMerica's electronic information and computer systems." The injunction remains in place until a hearing on March 30.

The case does have some twists. PharMerica claims that Arledge took confidential information with him by saving it to a USB drive and by e-mailing it to his personal AOL account, an allegation that likely swayed the judge to view deleting files as part of the same unlawful act. It's also only a preliminary ruling, meaning that Arledge's attorney will have a chance at the hearing to rebut the allegations against his client. Finally, PharMerica does not seem to be claiming that Arledge deprived the company of the only copy of the data; instead it's arguing the deletions were intended to "cover his tracks."

Although this case and the 7th Circuit's ruling last year deal with managers, the same logic applies to any employee who secure-deletes personal files from a work computer. A blog post from Bradley Nahrstadt, an Illinois attorney, says that "simply labeling the information 'personal' and then deleting it would not, in my opinion, protect the employee from the full reach" of the CFAA.

A better solution would probably be to save all personal files to a USB stick or portable hard drive that is not owned by your employer. Even better, use Web-based services for e-mail or bring your own laptop to work.

Excerpts from Lazzara's opinion: Shortly thereafter, PharMerica began examining its computers, including the laptop computer that Arledge used in his Tampa office. Stephen J. Myers, director of Windows and Communications Services at PharMerica, was directed to review Arledge's laptop computer. While reviewing the laptop, he determined that there were several thousand e-mails on the laptop but that the hard drive "C" drive was virtually empty. PharMerica also employed a forensic computer expert, Adam Sharp at E-Hounds, to examine the PharMerica computer that Arledge had been using at his Tampa office...

Arledge then permanently deleted, without authorization, over 475 files. Arledge also permanently deleted, without authorization, e-mails and other files to "cover his tracks" and deprive PharMerica of the benefit of the information contained in those files...

Arledge accessed PharMerica computers and permanently deleted files that he was not authorized to permanently delete. Arledge's actions damaged PharMerica in that they destroyed information and electronic data belonging to PharMerica, impaired PharMerica's access to its data, and caused PharMerica to incur substantial expenses to attempt to recover its information and electronic data. All of these actions tend to show a likelihood of success on PharMerica's claim brought under (the Computer Fraud and Abuse Act)...

Arledge's actions have likely caused damage to PharMerica's electronic information and computer systems in a loss exceeding $5,000. Such loss would include, but would not be limited to, expenses incurred to (a) examine the laptop computer that had been assigned to Arledge, (b) determine what files had been copied and deleted, and (c) attempt to restore information and electronic data Arledge destroyed or deleted.

For these reasons, not unlike similar cases where employers have pursued civil remedies under the CFAA against employers who "seek a competitive edge through wrongful use of information from the former employer's computer system," PharMerica would likely succeed in winning on the merits of this claim.

[Kings X Rocks!]

Better than a good resume...

Maybe that's how he got the omnicare job!!!

[m.meister]

Just Sour Grapes

This type of action is more often sour grapes, especially given
the claims made by the company.

I love how the suspicion of activity causes efforts on the part of
company that is in excess of the $5000 limit, thus insuring it
applies. What a sick world we live in.

And these judges that know ZERO about technology just buy
into this without a second thought.

Since it was a laptop, I assume he took it out of the office. Does
that mean that any computer that ever gets plugged into a
network is considered a networked computer?

If he was not authorized to delete files, why did the company
give him privileges to do that on the machine? Did they give him
explicit instructions that he was not allowed to delete files?

Ultimately, it sure looks like this is a company that has
accusations without any real proof. He must be an absolute
computer whiz if he is able to remove absolutely ALL evidence of
his alleged actions such that an "expert" can't find anything.

This seems like a continuing example of the failure of our
legislature and judicial branches.

[MadKiwi]

Police Blotter: Best c|net section...

... by far. It has the depth of coverage/discussion and degree of neutrality sadly lacking in all other c|net sections.

[PhillyBoy919]

Call the Waaambulance...

They just sound bitter that the guy bailed on them for their competitor and they were looking for any reason to get him. What classless, petty, B.S.

[eldernorm]

The Fall of America

If there is anything that can kill this country it is going to be the lawyers. PERIOD.

The loss to the company of $5000 was due to costs incurred by the company when spying on the guy. THey checked his computer. They found that he took his personal files with him. They could not snoop on what he was doing when he was there. (How come they did not care to snoop when he was there??? )

If he stole company information, then he is guilty. If the company had a rule that he signed off on that said that you could never delete anything on the computers, then he is guilty. Otherwise, as said above, its sour grapes. They are pissed that he left for another company.

Ben Franklin was right. "First we shoot all the lawyers..."

[Cope25]

This Lawsuit has no merrit!

I work in IT and I know that even if a user deletes their files and e-mail this should not be as big a problem unless their IT department doesn't have a decent backup strategy in place. Most corporate e-mail servers keep e-mails on a centralized mail server that is backed up on a regular basis. Any major IT firm should have backups in place for their e-mail, web and file system servers. Since most confidential data is either supplied on shared file systems and web sites that are usually backed up or though company e-mail servers that are backed up, aside from personal notes/files that are not sent via e-mail or put into shared folders most of the data should be recoverable. Laptop HD's die all the time and if these safeguards are not in place, then the company has much larger issues. However, pulling private company data off of a personal laptop for personal gain shows unethical practices of the individual, and any company hiring such an individual is setting them selfs up to be taken advantage of. If anything, the employees former employer should sue for theft of privileged company data - this should be easily accomplished if their backups show mail sent from this employee to their personal account.

[moretroops]

Hi hack lawyers

It's a preliminary ruling UNTIL the judge can rule on the merits.
Since there's been no discovery yet, the court has to freeze the
case until discovery can be performed, and a full hearing had on
the merits. So don't get your panties in a wad yet. Maybe this
defendant wins. Only preliminary geniuses. I love it when desk
jockies, IT undergrads, and unemployed cnet readers play matlock.
It reminds me why people actually hire lawyers.

[Joe Koskovics]

Secure Delete, Uncertain Results

This case appears to be very complicated.

What this case does provide is a lesson to ALL corporate computer users to understand the company's computer use policy. If you do a "secure delete", make sure you have a printed copy of the approval to delete and clean the PC BEFORE you do anything to the computer.

Under the correct conditions a company might prefer a wipe of a machine, but only with prior approval. On the other hand deleting important data on a company PC is a risk because you do not own the data, the company owns it.

Regardless of the real reasons and conditions, a paper trail is a strong, protective exit strategy. for both the employer and the (soon to be) former employee. We should all learn from this.